CVE-2025-46559

Опубликовано: 05 мая 2025

Источник: nvd

CVSS3: 5.4

CVSS3: 7.5

EPSS Низкий

Описание

Misskey is an open source, federated social media platform. Starting in version 12.31.0 and prior to version 2025.4.1, missing validation in Mk:api allows malicious AiScript code to access additional endpoints that it isn't designed to have access to. The missing validation allows malicious AiScript code to prefix a URL with ../ to step out of the /api directory, thereby being able to make requests to other endpoints, such as /files, /url, and /proxy. Version 2025.4.1 fixes the issue.

Ссылки

https://github.com/misskey-dev/misskey/commit/583df3ec63e25a1fd34def0dac13405396b8b663
Patch
https://github.com/misskey-dev/misskey/security/advisories/GHSA-gmq6-738q-vjp2
Exploit
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:misskey:misskey:*:*:*:*:*:*:*:*

Версия от 12.31.0 (включая) до 2025.4.1 (исключая)

EPSS

Процентиль: 15%

0.00048

Низкий

5.4 Medium

CVSS3

7.5 High

CVSS3

Дефекты

CWE-22

EPSS

Процентиль: 15%

0.00048

Низкий

5.4 Medium

CVSS3

7.5 High

CVSS3

Дефекты

CWE-22